Home > Security Bulletins > S2-018

Summary

Broken Access Control Vulnerability in Apache Struts2

Who should read this All Struts 2 developers and users
Impact of vulnerability Permissions, Privileges, and Access Controls
Maximum security rating Important
Recommendation Developers should immediately upgrade to Struts 2.3.15.2
Affected Software Struts 2.0.0 - Struts 2.3.15.1
Reporter Zhangyan (L), Huawei PSIRT
CVE Identifier CVE-2013-4310

Problem

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.

Solution

In Struts 2.3.15.2 the action mapping mechanism was changed to avoid circumventing security constraints.

Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.

Backward Compatibility
After upgrading to Struts >= 2.3.15.2, applications using the "action:" should still work as expected.
It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library.